github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-08-11 19:12:12 +00:00
Code Issues Projects Releases Wiki Activity

Allow to whitelist config modifiers

Browse Source 
Signed-off-by: Claudio Vellage <claudio.vellage@pm.me>
This commit is contained in:
Claudio Vellage 2022-03-13 10:00:10 +01:00 committed by poiana
parent a5d3663c75
commit 4705a92c49
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
rules/falco_rules.yaml
View File

@ -443,6 +443,9 @@
- list: shell_config_directories
items: [/etc/zsh]
- macro: user_known_shell_config_modifiers
condition: (never_true)
- rule: Modify Shell Configuration File
desc: Detect attempt to modify shell configuration files
condition: >
@ -452,6 +455,7 @@
fd.directory in (shell_config_directories))
and not proc.name in (shell_binaries)
and not exe_running_docker_save
and not user_known_shell_config_modifiers
output: >
a shell configuration file has been modified (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pcmdline=%proc.pcmdline file=%fd.name container_id=%container.id image=%container.image.repository)
priority: